naveenkumard
commented
2 years ago @oldalton : Can you help here? Thanks
Closed naveenkumard closed 1 year ago
naveenkumard
commented
2 years ago @oldalton : Can you help here? Thanks
mipetriu
commented
2 years ago @naveenkumard Thanks for your question. Could you help to clarify your scenario a little bit more? Are users going through the SSO login flow through your app? And are you using ASWebAuthenticationSession or another system browser to open the Safari browser?
Also, just for context, what kind of CA policies are causing the failure in this case?
naveenkumard
commented
2 years ago @mipetriu : Yes, our customer uses SSO login flow through our app. When user enters email id in the UI, our own server determine whether the login is SSO based or password based login flow. If SSO, then our own server return SSO URL and our iPhone app loads the URL in WKWebView. Since WKWebView uses webkit engine internally (the same used by Safari) and they have some kind of conditional policy set at their end, the login fails with 53003 error code.
They say the CA policy is set in such a way that login must happen through Edge browser which is an intune managed browser. Also note that their devices are MDM compliant.
mipetriu
commented
2 years ago @naveenkumard I see, thanks for the added context. As far as I know, it's not possible on iOS to use a different browser (like Edge) as an embedded webview within the app. MSAL uses Safari webviews, but has specific handling for cases where CA policies must be resolved.
I have a few suggestions that you could try out.
Make sure that you have a device identity certificate on your device (On your iPhone, open Settings -> General -> Device Management -> Mobile device management -> More details -> Under device identity certificates you should see 2 certificates. One of them should have a title "SCEP profile" and subtitle "MS-Organization-Access"
naveenkumard
commented
2 years ago @mipetriu : Thanks for your response. As you suggested, I tried the option 1 but stuck with call back URL issue. Let me explain in details. Once our mobile app receives SSO login URL, our app loads it using ASWebAuthenticationSession. This launches system browser to do login. After user makes successful login, it redirects to one of our web app URL which loads our web app. Now I'm not sure how to get the call back to the iPhone app instead of our web app.
In the earlier version where I used WKWebView, I used to get delegate API calls when redirection to our web URL happens. And from here I use to get access token (from WKHTTPCookieStore) and make use of it to make further API calls with in the app and dismiss the WKWebView.
mipetriu
commented
2 years ago @naveenkumard I see. Unfortunately the scenario that you're building is unsupported by Microsoft or MSAL. We wouldn't recommend redirecting the webview to your web app and collecting the token from the WKHTTPCookieStore. MSAL follows the OAuth2/OIDC protocol to request tokens directly on behalf the application, so we provide a redirect URI to our webview that will return the callback to the app. In the case of ASWebAuthenticationSession, that would be the callbackURLScheme listed in this doc.
naveenkumard
commented
2 years ago @mipetriu : Thanks. We are also working on MAM (mobile app management) support which requires MSAL in oder to apply the app policy on our app. The new app is going to use MAM and MSAL SDK's to support it. So if we ask our customer to use this new app which is a dedicated app for Intune, will it solve the conditional access policy issue (the original issue reported here)? The reason I'm asking because the I believe that MSAL internally make use ASWebAuthenticationSession for login which is a system browser.
The exact issue that our customer told us is that Safari browser which we use in our existing app to do SSO is not passing device ID which is required info in order to pass the conditional access policy. But the app (Workday) which they use, pass that info and that app uses Edge browser. So they asked us if we can make changes in our app to use Edge instead of Safari, that could solve the problem.
Sorry I did not phrase the issue correctly in my first (dated - 2nd June) comment, so added here. Also attached the files for better understanding.
Successful sign in by Workday app (uses Edge browser) and satisfy conditional access policy
Unsuccessful sign in by our app (uses Safari browser) and won't satisfy conditional access policy
ameyapat
commented
2 years ago So if we ask our customer to use this new app which is a dedicated app for Intune, will it solve the conditional access policy issue (the original issue reported here)?
Yes that should resolve the issue if you integrate MAM and MSAL SDKs correctly
naveenkumard
commented
2 years ago @ameyapat : Thanks. I'll check on this. If issue still persist, will come back.
engy-hussien
commented
2 years ago @naveenkumard I'm facing the same issue now. could you tell me if you solved the problem? and if yes what is the solution please?
stale[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. Please provide additional information if requested. Thank you for your contributions.
naveenkumard
commented
2 years ago @engy-hussien : Sorry for the late reply as I missed your comment. We have integrated both MSAL and MAM in our app but we were not able to test it out due to non availability of environment setup at our end.
kaisong1990
commented
2 years ago @naveenkumard Would you have an ETA for testing, and let us know if the above suggestions would work.
MatteoRed1983
commented
2 years ago Hi everyone!
We are facing a similar issue and we cannot find any way to solve it actually. We want to distribute Tableau for Intune app in our corporate and these are the following settings:
-Our MDM is Intune -Tableau for Intune app is MAM protected and approved in Intune -We have conditional access policy that will block non-enrolled devices -The authentication method for the app is MSAL
We want to prevent the access from Safari browser to this app and for this purpose we added an additional conditional access policy that blocks access from non-approved app in order to force Edge browser which is managed. This block works with Safari and we are redirected to use Edge but then we are also blocked in the app because MSAL is using system browser (Safari) that is not approved so we are also blocked on the app. We have also been able, during the authentication process inside the app, to be prompted to use Edge but when we select this option it goes to Edge and then back to the app with the error "Link Failed" Any suggestion on this from our side (Intune, Azure Conditional access)? Or this can only be solved from the app developers?
antrix1989
commented
2 years ago @MatteoRed1983 can you use an embedded browser in MSAL instead of Safari?
Regarding "Link Failed" error, could you record the video and capture MSAL logs for us to take a look? You can send them to sedemche@microsoft.com
stale[bot]
commented
2 years ago This issue has been automatically marked as stale because it has not had recent activity. Please provide additional information if requested. Thank you for your contributions.
mipetriu
commented
1 year ago @MatteoRed1983, @naveenkumard, @engy-hussien - Closing this issue due to no response. Please re-open if you'd like to further discuss this question.
Hello team,
One of our customer is facing issue related to SSO login in our app when they try to do login in their MDM device (using MS Intune). They do have conditional access setup in place. Our SSO login flow opens safari browser within the app to do login but due to conditional access in place login fails with error code 53003. They say that other apps (ex Workday iOS app) opens Edge browser to do login and it succeeds. Now they are asking us to open the login in Edge instead of safari. And I'm not sure how to achieve this. A similar issue is described here but unable to find correct way to fix the issue. Please note that our app won't use MSAL library.
Request to help here. Many Thanks.